Skip to Content.
Sympa Menu

shibboleth-dev - RE: Continuing the cookie discussion...

Subject: Shibboleth Developers

List archive

RE: Continuing the cookie discussion...


Chronological Thread 
  • From: "Howard Gilbert" <>
  • To: "'Walter Hoehn'" <>
  • Cc: <>
  • Subject: RE: Continuing the cookie discussion...
  • Date: Thu, 16 Dec 2004 00:00:31 -0500

> Can't we just do some JNDI magic to allow the session data to span
> these contexts without re-directs?

We already have magic to allow the Session object (managed by the
/shibboleth context), to be available upon request to the Resource Managers.
The purpose of the cookie is not to carry the Session data, but only to
identify the session. Only the Browser can carry a token that identifies an
HTTP request with some existing server-side state. So again it becomes a
problem for cookies and their scope.

The purpose of the redirects is not to move the session data around. It is
to redirect the Browser from a URL scope where no cookie has been assigned
to a trusted, authoritative URL within the scope of a preexisting cookie.
There the cookie can be read, the identity of the Browser can be
established, and then the old Session ID can be extended to the new context
where a new cookie can be issued for it.




Archive powered by MHonArc 2.6.16.

Top of Page